All management system standards are designed with the ultimate aim of managing risk and encouraging improvement of your systems, processes and ultimately, your business.
We are all familiar with risk. We deal with risk as part of our everyday life continually. We purposely carry out actions without thinking in order to mitigate the possibility of things going wrong, we look both ways before crossing the road, indicate to say you are turning left or right in your cars, check your bath water before jumping in. The same principles apply to management system risk. You will find that, subconsciously, you have already addressed many risks and continue to do so on a day-to-day basis.
To identify risk within your organisation, it is important not only for top management to come together and discuss high level business risk but also speak to staff on an operational level who manage risk associated with their roles on a daily basis.
It is important that once you have identified risk that you measure it. By this we mean what is the impact or potential impact of that risk and what is the likelihood of it occurring. The outcome of this measurement will invariably define the level of risk to your business and the subsequent mitigation you must apply. The higher the risk, the less you want it to happen and the more mitigation and monitoring that may be required.
Assign responsibility for managing risk and make sure the person responsible is completely aware of that responsibility and your expectations of them in managing it.
It is also then important to review risk as things change, maybe a new service, new customers or a change in legislation.
So how do we deal with risk?
The Management System Standards requires us to develop and implement a plan to address risk. This plan should take into account your highest risks and eliminate or mitigate those risks to an acceptable level in accordance with your own risk appetite.
Types of risk treatment could be one or more of the following:-
Elimination: The most effective risk management tool is to remove a risk altogether. Whilst this is the most effective tool, it is very rare that you can eliminate a risk completely.
Substitution: Replace the risk with something that constitutes a smaller risk. For example, you could replace a poor performing item of machinery with a new machine. This could improve quality risk, environmental, risk and perhaps even health and safety risk.
Engineering: Change the process, equipment or workplace to reduce a risk.
Administrative: Establish policies and procedures to minimise risk, establish signage, restrict access, carry out training etc.
Acceptance: Some risk just has to be accepted and if somebody hadn’t taken some risks to start with, none of us would have a job.
Once risk has been identified and addressed, you should then regularly review it and ensure that actions to address risk have been effective. This could be carried out as part of your Internal Audit or Management Review processes or even specific Risk Review meetings.
